GDPR isn’t just a new law, it’s a new mindset

GDPR isn't just a tick-box exercise, its changing the way we think about information governance for the better.


Two months ahead of the May 25 deadline, businesses across Europe and those around the world with European clients may be struggling to attain GDPR compliance. Amid the data cleansing and impact assessments, David Fathers, Regional General Manager for Crown Records Management, is keen that we don’t forget what this change in the law is really all about, the real dangers of non-compliance and the overall benefits GDPR will bring. 

“GDPR is a civil rights, issue,” proclaims, David. “It’s your data, you own it and you get to decide who can know about you. It’s a change in mindset and it’s changing the way we think about information governance for the better.”
Most organizations hold data without understanding its inherent value, David claims. “There are a myriad of incidences of inadvertent data breaches. For example,  what about the local GP’s office, which was fined heavily because a receptionist revealed a woman’s address to her ex-husband and abuser? That woman had a right to data privacy and that’s what this law is designed to protect.” 
David points to the way companies deal with data at the moment: “Companies will think nothing of collecting a spreadsheet of personal data, saving it to an unsecured computer desktop and distributing across unprotected email servers.” He asserts, “That’s got to change now because the companies don’t own that data anymore; you do.”
GDPR will give individuals the right to be forgotten. That’s a big legal change that will mean companies have to find where your data is stored and prove that they’ve destroyed it within 30 days of a request. For some companies, this is going to be a mammoth challenge, David says. 
He gives the example of companies that boast about their backup systems but don’t currently have a process for archiving data. “There’s a substantial difference between a back-up and an archive which is frequently not understood.” David explains, “The back-up should be short term; kept in case your server breaks down, but the archive is the stuff that’s actively managed. You should understand what’s in the archive, the context in which it was collected, the legal basis for keeping it, the specified amount of time you have to keep it for and when you’re going to destroy it.” Holding back-ups for decades is not providing an active archive, it’s merely storing data.
Being fined (and the fines could be substantial – 20 million pounds or four percent of global turnover) is a deterrent but the risk to reputational damage should be the biggest reason we comply with GDPR. “Reputational damage could cost companies much more than these fines in the long run,” David says, adding, “We have recently conducted a survey looking at the attitude of the general public into the GDPR question and it was clear that people will vote with their feet in the event of a company undergoing a data breach. They will also be more inquisitive about how data is stored and managed going forwards.” 
David predicts a shift change in the way we think about information governance. For a start, because of GDPR, companies will have to understand the data they’re holding, store less of it and, even better, they’ll have to start protecting it more effectively. He says, “New information governance systems are moving towards a privacy-by-design methodology and that’s a whole different mindset to what we’ve got right now.”
David explains, “If your data is stored in plain text and you’ve put up a firewall, you’re basically putting a sticking plaster on a heart attack. What you want to move towards is having encrypted solution so that your data won’t be readable even if, or, more likely, when, it’s breached.”
“In terms of your business, being GDPR compliant and having a clean sheet when it comes to data loss gives you a competitive advantage”, David insists, “and that’s before you consider the hard costs you’ll be saving in data storage. On a personal level, GDPR will mean that your valuable data will be more carefully protected by the companies you entrust with it and you will have full control over where and how, your data is being used.” 
“GDPR is a win, win; professionally and personally,” David concludes.